The fourth industrial revolution is making the world more digitally connected. While the connectedness has fostered a feeling of the world becoming smaller, the cyber risk landscape has simultaneously grown bigger.
This development has elevated cybersecurity from being an IT issue to being an unavoidable threat that the leadership and top management need to deal with. This reality is reflected in our survey, as most Danish organisations seem to have incorporated cybersecurity in their leadership agendas.
What does the survey show?
On average, 68% of the Danish organisations across all sectors indicate that they have cybersecurity on the leadership agendas on a quarterly basis or more frequently. As for the remaining 32%, cybersecurity is on the leadership agenda twice a year or less frequently.
Sector deep dive
Taking a closer look at the data, organisations in the FS have cybersecurity on their leadership agendas more frequently than those in the other sectors.
Our survey indicates that cybersecurity is frequently on the leadership agenda in most Danish organisations. It is indeed a positive outlook that an average of 68% of the participating organisations state that cybersecurity is on the leadership agenda on a quarterly basis or more frequently. This also shows that most organisations have realised the importance of having a well-informed understanding of the cyber threat landscape.
Our sector deep dive shows that the leadership in the financial sector has cybersecurity on their agenda more frequently than the other sectors. This is no surprise, as cybersecurity has long been an eminent part of the financial sector’s business operations, e.g. in the context of fraud detection and prevention. This combined with the increasingly tighter cyber regulations in the financial sector may have helped the financial sector to prioritise the cybersecurity agenda.
When assessing the three other sectors, we see a large variation in how often cybersecurity is on the leadership agenda. 30% of the organisations in the ERS have cybersecurity on the leadership agenda on a monthly basis; yet we also see that 11% of organisations in the same sector discuss cybersecurity less frequently than once a year.
Similarly, we see that 17% of organisations in the PS and 19% of organisations in the CGS indicate that cybersecurity is on their leadership agendas once a year or less frequently. In contrast, approximately one-third of the organisations in the same two sectors state that cybersecurity is on their agendas at least once a month.
The differences in leadership prioritisation indicate a varying cybersecurity maturity level across the sectors.
In summary, while the overall results show a positive trend for most Danish organisations, there is room for improvement for the remaining 32% that cover cybersecurity with the top management semi-annually or less frequently. Frequency is not the only criterion for prioritisation; yet it is likely that a higher frequency offers opportunities for making more informed decisions due to a generally improved understanding of the cybersecurity landscape, and for aligning investments accordingly.
An important question remain unanswered by our survey; i.e. does the prominence of cybersecurity at the leadership levels yield sufficient action and capability to stop the cyber threats Danish organisations are facing? Reviewing the rest of the survey responses, we still believe that there is a way to go from an increased understanding of cybersecurity to tangible actions to stay ahead of the cyber threats.
The bigger picture
Briefing the top management
An organisation’s top management needs to be frequently briefed on cyber threats and what this means for the organisation. Such briefings should occur at least every quarter.
Practice makes perfect
Frequent briefing of the top management can contribute to the organisations’ cybersecurity maturity levels, as it can channel investments into the right capabilities.
Briefings alone, however, are not sufficient to prepare an organisation’s top management for major cybersecurity incidents and the resulting business impacts. Organisations should regularly train the board and top management in cyber risks aligned with the business’ threat landscape and KPIs using tailored training and simulations.
This will not only allow management to make better investment decisions but also increase the organisation’s ability to respond to and recover from major incidents with a potential business impact.